Security News > 2021 > July > New Windows print spooler zero day exploitable via remote print servers

Another zero day vulnerability in Windows Print Spooler can give a threat actor administrative privileges on a Windows machine through a remote server under the attacker's control and the 'Queue-Specific Files' feature.
Since the incomplete fix, security researchers have been heavily scrutinizing the Windows printing APIs and have found further vulnerabilities affecting the Windows print spooler.
Security researcher and Mimikatz creator Benjamin Delpy has publicly disclosed a new zero-day vulnerability that allows a threat actor to easily achieve SYSTEM privileges on a Windows machine through a remote print server under their control.
In a conversation with BleepingComputer, Delpy said that his exploit uses the 'Queue-Specific Files' feature of the Windows Point and Print capability to automatically download and execute a malicious DLL when a client connects to a print server under an attacker's control.
"While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a CopyFiles directive for arbitrary ICM files," the new CERT advisory explains.
A better way to prevent this exploit is to restrict Point and Print to a list of approved servers using the 'Package Point and print - Approved servers' group policy.
News URL
Related news
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)
- New Windows zero-day exploited by 11 state hacking groups since 2017 (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)